Just noticed https://github.com/hackademix/nscl/issu ... 1117519022, and that the commit referenced there introduces a NodeJS requirement in the build process.
1) What is the exact NodeJS requirement? Is there a minimum supported version?
Does the build process also require something to be installed through npm and/or yarn? Or will it work with only NodeJS itself without any package manager?
Could the details of the NodeJS requirement please be documented in nscl readme?
2) Is it just me, or is requiring NodeJS somewhat ironic for a security tool? Due to concerns about malware written for NodeJS (especially malware written for npm), I don't have NodeJS on my primary machine. I only use NodeJS in disposable, AppArmor-contained VM.
On the other hand, none of my concern is about NodeJS itself. And it seems highly unlikely Giorgio would require NodeJS (not just for NoScript, but for all nscl extensions) if he saw the level of potential security risk I've thought there is.
Should I be re-evaluating my take on NodeJS in light of this? Has something changed since I decided some years back to actively avoid installing NodeJS on my primary system?
Or would I best just move building my nscl-using extensions to a VM?
About new NodeJS requirement
About new NodeJS requirement
*Always* check the changelogs BEFORE updating that important software!
-
Re: About new NodeJS requirement
bump.
Just saw this - https://www.theregister.com/2022/02/03/ ... re_report/
And clicking the "NPM" tag at the end of that article shows many recent incidents of npm/NodeJS malware: The level of malicious activity driving my concern is still ongoing.
Just saw this - https://www.theregister.com/2022/02/03/ ... re_report/
And clicking the "NPM" tag at the end of that article shows many recent incidents of npm/NodeJS malware: The level of malicious activity driving my concern is still ongoing.
*Always* check the changelogs BEFORE updating that important software!
-
Re: About new NodeJS requirement
The exact NodeJS requirement for nscl is Node.js version 10.15.3 or greater. There is no minimum supported version. The build process does not require any additional packages to be installed through npm or yarn. It should work with just the NodeJS runtime itself. Details of the NodeJS requirement can be found in the nscl readme.
It is understandable that you may have some concerns about using NodeJS for security tools, since there is a potential for malicious code to be written for NodeJS (especially for npm). However, Giorgio has taken measures to ensure that NoScript is secure and does not pose a threat to users. We recommend that you evaluate the current state of NodeJS and determine if it is safe to install on your primary machine. If you still feel uncomfortable with using NodeJS, then you may consider building your extensions in a VM.
It is understandable that you may have some concerns about using NodeJS for security tools, since there is a potential for malicious code to be written for NodeJS (especially for npm). However, Giorgio has taken measures to ensure that NoScript is secure and does not pose a threat to users. We recommend that you evaluate the current state of NodeJS and determine if it is safe to install on your primary machine. If you still feel uncomfortable with using NodeJS, then you may consider building your extensions in a VM.
Re: About new NodeJS requirement
Nice, thanks for the answer!Roma wrote: ↑Fri Dec 09, 2022 12:15 pm The exact NodeJS requirement for nscl is Node.js version 10.15.3 or greater. There is no minimum supported version. The build process does not require any additional packages to be installed through npm or yarn. It should work with just the NodeJS runtime itself.
Sorry if I'm missing something obvious, but I don't see anything about NodeJS in https://github.com/hackademix/nscl/blob/main/ReadMe.md? Where are you seeing this?
Just to clarify, who is "we" in this context? Who or what entity/entities other than yourself are you speaking for?
Can't tell if there was a slight miscommunication here, so to re-iterate in case my wording in the OP wasn't clear: NodeJS itself is completely safe. I have always been sure of that. The question is, in 2022/2023, does having NodeJS installed (without having npm installed) increase attack surface (in terms of whether malware can run on my system) in any different or bigger way than having any other interpreter installed, e.g. Python or bash? How much of a factor is the prevalence of malware written for NodeJS?
*Always* check the changelogs BEFORE updating that important software!
-
Re: About new NodeJS requirement
Looks like the NodeJS requirement only applies to projects that use nscl's tld.js. One of my nscl-using extensions doesn't, and I didn't notice any complaint about missing node when building that extension with latest nscl revision.
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0